IETF Logo Mail Archive

Re: [dhcwg] Eric Rescorla's Discuss on draft-ietf-dhc-dhcp4o6-saddr-opt-06: (with DISCUSS and COMMENT)

<ian.farrer@telekom.de> Fri, 12 October 2018 10:45 UTC

Return-Path: <ian.farrer@telekom.de>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73D2B130E04; Fri, 12 Oct 2018 03:45:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.756
X-Spam-Level:
X-Spam-Status: No, score=-4.756 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.456, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telekom.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8s1oYka2t6AY; Fri, 12 Oct 2018 03:45:18 -0700 (PDT)
Received: from MAILOUT21.telekom.de (MAILOUT21.telekom.de [80.149.113.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91935130DF5; Fri, 12 Oct 2018 03:45:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telekom.de; i=@telekom.de; q=dns/txt; s=dtag1; t=1539341117; x=1570877117; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=t9ZY2b8m6MqEnx+ESB4TFcTBOk4Wt015xs7fLjOM438=; b=rAZQs8gcGBvZ4oWeq0fKi0N1E6YFysp0cb/JqpENnX/+KqTc4oo2QTSH 5y9DVEg0LUMcLehyg8MkJAk+4Km1VpbA8+Ytg/wCXPtDo4roaCnGBU8/0 qsMBgpBi17BDI3sxjPO5uHMtk+Qn7XWRQnY9Ybec5qPeAy1FiG7zXsrfg 6yd8yHIYa3flpGdZMaP0FQoYI5MmqwroIhDdC1YBxyR2OhUi4ogJ7Ve83 Jx8TeaWFO5x0GAmIldyhs6qmTJP9u59P8LEdnORFSllJiWsJY1/45VSo/ XbwkrvogDhLxywQUgWoOjAPL2Ofqst41mfN4nDkwY50D55r7hayHI9RIW A==;
Received: from qdec94.de.t-internal.com ([10.171.255.41]) by MAILOUT21.telekom.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Oct 2018 12:45:14 +0200
X-IronPort-AV: E=Sophos;i="5.54,371,1534802400"; d="scan'208";a="272123030"
Received: from he105872.emea1.cds.t-internal.com ([10.169.118.69]) by QDEC97.de.t-internal.com with ESMTP/TLS/AES256-SHA; 12 Oct 2018 12:45:13 +0200
Received: from HE105664.EMEA1.cds.t-internal.com (10.169.118.61) by HE105872.emea1.cds.t-internal.com (10.169.118.69) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 12 Oct 2018 12:45:13 +0200
Received: from HE106564.emea1.cds.t-internal.com (10.171.40.16) by HE105664.EMEA1.cds.t-internal.com (10.169.118.61) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Fri, 12 Oct 2018 12:45:13 +0200
Received: from GER01-FRA-obe.outbound.protection.outlook.de (51.4.80.20) by O365mail01.telekom.de (172.30.0.234) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 12 Oct 2018 12:45:10 +0200
Received: from FRXPR01MB0661.DEUPRD01.PROD.OUTLOOK.DE (10.158.154.13) by FRXPR01MB0664.DEUPRD01.PROD.OUTLOOK.DE (10.158.154.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1207.27; Fri, 12 Oct 2018 10:45:12 +0000
Received: from FRXPR01MB0661.DEUPRD01.PROD.OUTLOOK.DE ([fe80::6de4:4cd2:cebf:df95]) by FRXPR01MB0661.DEUPRD01.PROD.OUTLOOK.DE ([fe80::6de4:4cd2:cebf:df95%3]) with mapi id 15.20.1207.029; Fri, 12 Oct 2018 10:45:12 +0000
From: ian.farrer@telekom.de
To: ekr@rtfm.com, iesg@ietf.org
CC: draft-ietf-dhc-dhcp4o6-saddr-opt@ietf.org, dhc-chairs@ietf.org, volz@cisco.com, dhcwg@ietf.org
Thread-Topic: [dhcwg] Eric Rescorla's Discuss on draft-ietf-dhc-dhcp4o6-saddr-opt-06: (with DISCUSS and COMMENT)
Thread-Index: AQHUYQf9AQ6GpaObekOZxUzLeQV1qaUbkMQA
Date: Fri, 12 Oct 2018 10:45:12 +0000
Message-ID: <1B1F17D2-5FAE-4FEC-93CE-F1D9CEFC08C4@telekom.de>
References: <153922397672.5804.489295934152877724.idtracker@ietfa.amsl.com>
In-Reply-To: <153922397672.5804.489295934152877724.idtracker@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.2.180910
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ian.farrer@telekom.de;
x-originating-ip: [2003:1c09:21:c20:cdd4:4e11:5e13:7295]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; FRXPR01MB0664; 6:jjnSdnlzgtF/KSs6hnQsL3z4JT+xRzXXu6p8fs31oXZSSTHrulVmCLMlJ24DBLnV7Tif4ALTxDDTMiSJ6RHQ7m7TVv8YbFuZYCLUwrfQB2LxJeScNAYh0LkKsgPCK1oCl+pAwmk5asFZ3ovJrQHfeduyG/j0kO8NA12jxN6hJDWkE1FtCsux3kOiNCbl742w/V2B2T67WJ73kkac9cJ5pPD8qncgxWkIZA1B+c+T9ImZbvUV8yPpUvRiFnhNNFhJjuupN1atBEsjrzBKwB5FRrYUMwxoMwwkhrmNE0yFd2ZTe7lhfEDAH3IQtHId5N2ziGbArxYXlrDlfFXy/PDf6Ypwte0KJX4EhJSHfqs06niii10FWwzy2/Hdl2h6G7F8ESFkYvTkruK9HNVTf1yYKeoPVxZLIaILOP0W50K9/zAkZZKEdycwKdPSrOcrex+96/Q/GgPD6cXUI8DxAMWkUQ==; 5:pJHVG5bzzXp2Nq/AKpXtDtq10Y1uMkUWfZw9fJy+Bio1pbL/GDrG4z3+yjb2kR7kQbFBths0LexdmUrtLPMnGyco0UKV/cWuOnW+BT8t+Yosww6HBOa7+JV4ijBFiIcfURICYjqA326C+axaMmpmHPeUB6qzYcFD2npF543lx1M=; 7:x2Jnmr4/7cjRA2XPpqQX11DlLOQ9CL1KoYJy1dyMyQTjq6klPnHgslfLkw5laMJtWH9erF8dOoxBzjP0mux009Lrhu2K3nuNHJXuUibT5UjddB3kzmUz8kfpzSyT39EBvJSSoscdfrbAWPfvuu0qS75CcTaBEw2CxNF73XbfkbCKz40UWuAxYLpxcenqTxjY5OqkeFM2hkfx71ZXOpSPhW/+uIj8IMpml+g4YgHtJMCNE7iNGc2sOUHmOGefhvAo
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 48092443-03a3-4a1a-8607-08d6302fc9ca
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:FRXPR01MB0664;
x-ms-traffictypediagnostic: FRXPR01MB0664:
x-microsoft-antispam-prvs: <FRXPR01MB066464427B1281801366C789FCE20@FRXPR01MB0664.DEUPRD01.PROD.OUTLOOK.DE>
x-exchange-antispam-report-test: UriScan:(120809045254105)(192374486261705)(158342451672863);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3231355)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(149066)(150057)(6041310)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123558120)(201708071742011)(7699051); SRVR:FRXPR01MB0664; BCL:0; PCL:0; RULEID:; SRVR:FRXPR01MB0664;
x-forefront-prvs: 0823A5777B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(376002)(346002)(366004)(39860400002)(136003)(189003)(199004)(8676002)(52396003)(110136005)(6246003)(53936002)(97736004)(58126008)(6306002)(54906003)(106356001)(105586002)(14454004)(561944003)(114624004)(74482002)(14444005)(966005)(256004)(4326008)(2906002)(82746002)(478600001)(102836004)(75402003)(316002)(76176011)(6116002)(11346002)(68736007)(33656002)(229853002)(186003)(81156014)(446003)(2900100001)(5250100002)(36756003)(83716004)(486006)(5660300001)(81166006)(7736002)(46003)(71190400001)(86362001)(8936002)(71200400001)(476003)(305945005)(2616005); DIR:OUT; SFP:1101; SCL:1; SRVR:FRXPR01MB0664; H:FRXPR01MB0661.DEUPRD01.PROD.OUTLOOK.DE; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: telekom.de does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 7Fra04Ghza05oYkF7hcRfmw+NDylMPbxjJsbpvOe9nqS8LAbxAM6YgaXv/Bx7reN62ATuu0JiqLUuB1axy3a6jpLNOifwwWbETr8BtQrD0151xQA4LSU3ws2yAdu1svU3mkr+GlidmCRBHD3O2iReicu0d+VOqFf1kTox9i2lZOOTZJWDdgP1h7iStLUlbka/U1izeMV5imNZ3gQXvJJAELwfjH/GUuRrXqc80Rb/g4L0n7CdrZ6cBWsfnDoaoScx9+F/HJgujZZ9g6OUfnblMry2+VMVazl42MTyDVoz3grT1nE0W2KyPtRVLNIuLtKfkE5ahKLfBGOu45F2bhHceXI2Qdv80DSp2NWGdppj/E=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <75B52453FEB0D24A82E49DBF37925E9A@DEUPRD01.PROD.OUTLOOK.DE>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 48092443-03a3-4a1a-8607-08d6302fc9ca
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2018 10:45:12.6280 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bde4dffc-4b60-4cf6-8b04-a5eeb25f5c4f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: FRXPR01MB0664
X-OriginatorOrg: telekom.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/UfG5zp8EiKdjY45jsXirtxRXaQ4>
Subject: Re: [dhcwg] Eric Rescorla's Discuss on draft-ietf-dhc-dhcp4o6-saddr-opt-06: (with DISCUSS and COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Oct 2018 10:45:21 -0000

Hi Eric,

Many thanks for your comments. Please see inline below.

Regards,
Ian

On 11.10.18, 04:13, "dhcwg on behalf of Eric Rescorla" <dhcwg-bounces@ietf.org on behalf of ekr@rtfm.com> wrote:

    Eric Rescorla has entered the following ballot position for
    draft-ietf-dhc-dhcp4o6-saddr-opt-06: Discuss
    
    When responding, please keep the subject line intact and reply to all
    email addresses included in the To and CC lines. (Feel free to cut this
    introductory paragraph, however.)
    
    
    Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
    for more information about IESG DISCUSS and COMMENT positions.
    
    
    The document, along with other ballot positions, can be found here:
    https://datatracker.ietf.org/doc/draft-ietf-dhc-dhcp4o6-saddr-opt/
    
    
    
    ----------------------------------------------------------------------
    DISCUSS:
    ----------------------------------------------------------------------
    
    Rich version of this review at:
    https://mozphab-ietf.devsvcdev.mozaws.net/D5110
    
    
    I believe there are security issues as detailed in this review.
    
    DETAIL
    S 9.
    >      For such an attack to be effective, the attacker would need to know
    >      both the client identifier and active IPv4 address lease currently in
    >      use by another client.  The risk of this can be reduced by using a
    >      client identifier format which is not easily guessable, e.g., by
    >      including a time component for when the client identifier was
    >      generated (see [I-D.ietf-dhc-rfc3315bis] Section 11.2).
    
    This doesn't seem like a very strong defense. At minimum you need an
    analysis of the level of entropy.
    
    I note that an on-path attacker (as RFC 3552 requires us to consider)
    will have no real problem with this attack. This seems fairly serious.

[if - I 

      A rogue client could attempt to use the mechanism described
      in Section 4.2.1 to redirect IPv4 traffic
      intended for another client to itself. This would be performed by
      sending a DHCPREQUEST message for another client's active IPv4
      lease containing the attacker's softwire IPv6 address in
      OPTION_DHCP4O6_S46_SADDR.

      For such an attack to be effective, the attacker would
      need to know both the client identifier and active IPv4
      address lease currently in use by another client. This could
      be attempted in three ways:

      1, One customer learning the active IPv4 address lease
         and client identifier of another customer via snooping
         the DHCP4o6 message flow between the client
         and server. The mechanism described in this document is
         intended for use in a typical ISP network topology with 
         a dedicated layer-2 access network per-client,
         meaning that snooping of another client's traffic is
         not possible. If the access network is a shared
         medium then it provisioning softwire clients using
         dynamic DHCP4o6 as described here is 
         not recommended.
         
      2, Learning the active IPv4 address lease and client identifier
         via snooping the DHCP4o6 message flow between the client
         and server in the aggregation or core ISP network.
         In this case, the attacker requires a level
         of access to the ISP's infrastructure that means they can already
         intercept or interfer with traffic flows to the client.
         
      3, An attacker could attempt to brute-force guessing the IPv4
         lease address and client identifier tuple. The risk of
         this can be reduced by using a client identifier format
         which is not easily guessable, e.g., by using a UUID
         based client identifier (see [I-D.ietf-dhc-rfc3315bis]
         Section 11.5).
    
    ]

    ----------------------------------------------------------------------
    COMMENT:
    ----------------------------------------------------------------------
    
    S 1.
    >      A dynamic provisioning model, such as using DHCPv4 over DHCPv6
    >      [RFC7341] (DHCP 4o6) allows much more flexibility in the location of
    >      the IPv4-over-IPv6 softwire source address.  In this model, the IPv6
    >      address is dynamically communicated back to the service provider
    >      allowing the corresponding softwire configuration to be created in
    >      the border router (BR).
    
    I'm sure this is obvious to the informed, but it would have helped me
    to have explained that the setting here is that the client has v6-only
    service and is going to get a v4 address and tunnel that over v6.
    

[if - The abstract tries to cover this, but it could be made more clear. How
about:

OLD:
DHCPv4 over DHCPv6 (RFC7341) is a mechanism for dynamically 
        configuring IPv4 over an IPv6-only network. For DHCPv4 over DHCPv6
NEW:
 DHCPv4 over DHCPv6 (RFC7341) is a mechanism for dynamically 
        configuring IPv4 for use as an over-the-top service in a IPv6-only
        network. Softwires are an example of such a service. For DHCPv4 over
        DHCPv6.....
]
    
    S 5.
    >              OPTION_DHCP4O6_S46_SADDR (TBD2) with the IPv6 address which
    >              the client will use as its softwire source address.
    >   
    >      Step 4  The server sends a DHCPv6 'DHCPV4-RESPONSE (21)' message.
    >              OPTION_DHCPV4_MSG contains a DHCPv4 DHCPACK message.
    >              OPTION_DHCP4O6_S46_SADDR with the client's softwire source
    
    Which of these messages contains the client's assigned IPv4 address?
    It's the DHCPOFFER, right?

[if - DHCPOFFER contains an address proposal for the client, but the actual
allocation is not made until the client sends the DHCPREQUEST for the
address and the server responds with the DHCPACK saying that that the
allocation request has been successful.

Would it be helpful to add a pointer here to Section 3.1 "Client-server interaction 
- allocating a network address" of RFC2131?]
    
    
    _______________________________________________
    dhcwg mailing list
    dhcwg@ietf.org
    https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email